UNCAPT

Security & Compliance

Security isn’t a checkbox.
It’s the architecture.

We work in healthcare. Security is a prerequisite for trust. This page describes how we handle your data, our certifications, and what we expect from ourselves.

ISO 27001:2022
ISO 27001:2022
Certified
MRFF Compliant
MRFF-backed
AES-256
At rest
Azure AU
Data residency
01

Certification

ISO 27001:2022

Certified Information Security Management System. Independently audited and certified. Certificate available on request.

MRFF compliance

All MRFF-funded research data is handled in accordance with MRFF data governance requirements.

02

Data architecture

Data residency

Clinical data stays within the jurisdiction of the deploying institution. Australian deployments run on Azure AU infrastructure.

Data isolation

Each partner organisation's data — cases, corrections, knowledge bank updates — is fully isolated. No cross-organisation data sharing or training without explicit consent.

No training on your data without consent

Corrections captured through the ELI loop are used to retrain stage verifiers for the originating deployment only. We do not aggregate training data across partners.

Encryption

All data encrypted at rest (AES-256) and in transit.

03

Clinical data handling

De-identification

Summary of case context and reasoning traces are anonymised before it is available for review by experts. Re-identification controls are enforced at the infrastructure level.

Minimum necessary data

We capture the reasoning signal — what the expert corrected and why — not the full patient record. Stage verifiers are trained on decision-level corrections, not raw clinical notes.

Audit trail

Every recommendation the system makes is logged with full provenance: which knowledge bank version, which stage verifiers, which guidelines, what confidence scores. Immutable. Exportable. Regulatorily auditable.

Data retention

Retention periods are configurable. Default is aligned with Australian clinical record-keeping requirements. Deletion on request is supported and audited.

04

Infrastructure

Cloud hosting

Deployed on Microsoft Azure, Australian region (australiaeast).

On-premises

On-premises deployment available for health systems with strict data egress requirements.

Access controls

Role-based access control (RBAC) with MFA enforced for all system access.

Vulnerability management

Leveraging Microsoft Defender for Cloud provide a unified security experience across cloud and code environments. Third-party penetration test annually.

05

Governance

Information Security Policy

Reviewed and updated annually. Available to enterprise customers and regulators on request.

Incident response

Documented IR plan. 72-hour notification SLA for notifiable data breaches under the Australian Privacy Act.

Vendor management

All third-party vendors assessed against our security requirements before onboarding. Critical vendors reviewed annually.

Security questions or responsible disclosure?

Reach us directly at security@uncapt.com

We respond to responsible disclosure reports within 48 hours and commit to transparency about our findings and remediation timeline.